[Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1

Arnout Vandecappelle arnout at mind.be
Sat Oct 5 13:37:49 UTC 2019



On 27/08/2019 22:39, Peter Korsgaard wrote:
>>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at bootlin.com> writes:
> 
> Hi,
> 
>  >> > Does it make sense to backport just the security fix in master ?  
>  >> I could but this fix will add the glibc or musl toolchain dependency.
> 
>  > OK, so let's bring Peter Korsgaard in Cc. Since he maintains the
>  > stable/LTS branches, it is important to get his call on this issue.
> 
> Well, is is "complicated" ;) CVE-2019-5736 is the same issue we fixed
> for runc back in February (where the fix had some fallout).
> 
> But do notice:
> 
> - Issue only applies to privileged containers, which is explicitly
>   marked as unsafe by upstream - E.G. on their website:
> 
>   They're not safe at all and should only be used in environments where
>   unprivileged containers aren't available and where you would trust
>   your container's user with root access to the host.
> 
>   https://linuxcontainers.org/lxc/security/#LXC
> 
> - The current lxc version in 2019.02.x / 2019.05.x / 2019.08 is 3.1.0,
>   which is a development version of late 2018.
> 
> - A fix is available for the current LTS version (3.0.x, supported until
>   2023) and current development version (3.2.1)
> 
> 
> So our options are basically:
> 
> - Apply the patch to master and 2019.02.x / 2019.05.x
> 
> - Revert master/2019.05.x/2019.02.x to the LTS series, 3.0.4
> 
> - Cherry pick the fix to 3.1.0 for master/2019.05.x/2019.02.x
> 
> - Ignore the issue and only apply the patch to next
> 
> 
> I would say option 4 (ignore) or 2 (revert) sounds like the most
> sensible options to me.
> 
> What do others think?

 I tend to lean towards option 2, but option 4 is fine as well of course.

 Note that I scheduled a discussion about this type of problem (our LTS branch
ends up with a non-LTS version) for the developer meeting.


 Regards,
 Arnout



More information about the buildroot mailing list